Conversations with customers at Cisco Live Melbourne highlight the power of CloudCenter to manage network policy objects and streamline micro-segmented network security.
Two customer stories stuck with me after the show that highlight real-world value that CloudCenter brings to environments with Cisco ACI.
The first story came from Woolworth’s on stage with Soni Jiandani, SVP of Marketing for the Insieme business unit at Cisco, during an innovation talk. The Woolworth’s team mentioned that they have 5 million firewall rules in their datacenter. 5 MILLION! This isn’t abnormal, but the thought of managing all of that is daunting. The Woolworth’s team went on to mention, that just because they have 5 million firewall rules doesn’t mean that they’re all being used—instead, they are an accumulation of years of rule creation. When manually managing firewall rules, there’s the very real concern that accidentally deleting the wrong rule could bring down business critical applications. To the person that performed the deletion, it’s considered a resume generating event. Needless to say, the fear of inadvertently breaking something causes network admins to rarely delete policies and drives the number of firewall rules higher thus increasing the security risks along with it.
Woolworth’s environment is not unique in comparison to other large organizations. A service provider told us about the same challenge at the Victoria triple-0 dispatch service (Australia’s version of 9-1-1) where they were manually managing firewall rules as well. At triple-0 though, a network admin’s worst fears were realized when an incorrect rule was removed, and brought down the dispatch logging application and forced operators to hand-record all calls using pen and paper. (http://www.theaustralian.com.au/news/latest-news/no-one-harmed-in-vic-000-outage-report/story-fn3dxiwe-1226813338975).
The Future includes more rules
SDN includes powerful automation that isn’t possible with more traditional network approaches. Software defined networks policies and rules offer a powerful way to control machines that are supposed to talk only to each other using explicitly defined connections. This is called micro-segmentation and increases security by stopping unauthorized access from moving to other machines in the datacenter. By implementing micro-segmentation, the number of firewall rules will increase as rules are applied to every single application tier deployed.
If only there was a way to automate and manage all of this complexity in context of the application….
If you haven’t already seen them, there are a couple of videos up on the CliQr YouTube channel that demonstrate how CloudCenter automatically creates policy objects including endpoint groups, contracts, and firewall rules during the application deployment process:
It’s great that CloudCenter will automate creation of policy objects deployed through ACI. But it’s just as important to manage those objects throughout the application and infrastructure lifecycle in when applications are scaled in/out or terminated.
In the case of a scale out/in, CloudCenter dynamically creates the required application tier infrastructure, installs the application code, notifies the load balancer, and then adds the newly created infrastructure to the ACI contracts. This means that micro-segmentation is dynamically retained through application scaling. When the application is scaled back, and instances are removed, the scale-related policy objects are automatically deleted as well.
When the application is destroyed and underlying resources are released, CloudCenter cleans up after itself by deleting all endpoint groups, contracts, and firewall rules that were associated with the application and infrastructure deployment. Network admins on board with SDN and micro-segmentation appreciate this because it eliminates the risk of them accidently deleting the wrong rules and guarantees the closure of possible malicious entry points.
Managing network objects throughout the application and infrastructure lifecycle means that, going forward, having 5 million firewall rules, of which nobody knows how many are actually needed, is a thing of the past. Organizations will only have firewall rules that are in use with active application deployments.
CloudCenter is powerful yet simple insurance for network admins that takes the guesswork and repetitive manual work out of managing firewall rules. The result is easier to administer network policies and less chance of those nasty resume-generating events.